It was reported in the media on Friday (3 February 2012) that the Metropolitan Police and Federal Bureau of Investigation (FBI) have launched a criminal investigation after computer hackers intercepted a conference call between cyber security experts.
The sensitive call was leaked by ‘Anonymous’. Ironically enough, the nature of the call was about current suspects and their cases and yet the possible suspects got hold of the conference call and then leaked it. Although one would assume that cyber security experts would know how to secure a simple teleconference call. However, this appears not to be the case.
Teleconference calls are normally done through hosted platforms such as BT, Webex or AT&T. Generally you dial into a phone number (0844 or similar), enter a username and then pin. The key is to guard the phone number, username and pin.
Upon analysing how the call was leaked it appears there was a possibility of two options – to get hold of the phone number, username and pin or get hold of the recording (MP3, WAV file). In order to get hold of the call security details you would need to intercept an email or a hack an email account. Getting hold of the recording file would be very similar, to hack into an email.
Email is widely known or in their case possibly not known as being insecure. Messages travel through thousands of miles of cable, going through various routers, switchers, server and ISPS. It is possible someone with access to the chain could have intercepted the email. The call file recording might have been emailed to the Metropolitan Police, FBI employees, or as a document for anyone who might have missed the original call.
Most IT security professionals know that email is not a secure method of data transfer and therefore more secure measures should have been taken. So how could they have secured the call better? Hand out the teleconference security details by letter (secure courier), give the information out over the phone or use an encrypted email? Another option is to conduct the call over an encrypted phone line or encrypted mobile line.
We have all heard the saying “security is only as strong as the weakest link”. There is a possibility one of the members of the FBI or Metropolitan Police were not fully aware of the sensitivity of the case or a PA sent an email without fully knowing the risk. This highlights the importance of training. Every single staff member within a sensitive organisation needs to be trained in security awareness including administration staff to prevent future incidents of hacking.